Passphrases vs Passwords

In a recent meeting, a client posed a question about the use of passphrases rather than passwords as password policy best practice.  The idea is that by extending the minimum number of characters to 14 but removing the need for special characters and lowering number of incorrect attempts before lockout, the phrases selected will be easier for users to remember, but harder for hackers to crack.

Another of our financial institution client’s internal auditors also recently suggested a 14-character minimum, but they still wanted them to force the use of special characters.  The inertia of these discussions may be based on this NIST publication from this past summer – Check out Appendix A starting on page 67 for a good discussion of password policy:


The discussion of passphrases vs. passwords isn’t new.  In fact, this article from 2012 offered caution against passphrases vs. passwords:


Even though the article was a bit dated, they pick up on the same issue as the NIST article – that the real issue is that users use simply guessed words and phrases.

As the NIST article states, “password choices are very predictable, so attackers are likely to guess passwords that have been successful in the past. These include dictionary words and passwords from previous breaches, such as the “Password1!” example above. For this reason, it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose.”

In addition, avoid using your first or last name, your company’s name, or other easily guessable variables in your passphrase or password.  Unsure of the best policy for your organization?  Ask, and we’ll help you decide.